===== Setting up a Prosody XMPP chat server =====
\\

==== Firewall ====

The following ports have to be opened in your firewall:

<code>
5222/tcp  # XMPP Client-to-Server
5269/tcp  # XMPP Server-to-Server
5281/tcp  # XMPP HTTPS (for file sharing)
</code>
----
\\

==== Prosody ====

> [[https://en.wikipedia.org/wiki/Prosody_(software)|Prosody]] (formerly lxmppd) is a cross-platform XMPP server written in Lua. Its development goals include low resource usage, ease of use, and extensibility.\\
\\

=== Installation ===

<code bash>
sudo apt install prosody prosody-modules lua-unbound
</code>

Add the ''prosody'' user to the ''ssl-cert'' group:

<code bash>
sudo usermod -aG ssl-cert prosody
</code>
\\

=== Configuration ===

Create a virtual host configuration:

<code lua /etc/prosody/conf.avail/quietlife.nl.cfg.lua>
VirtualHost "quietlife.nl"

admins = { "user1@quietlife.nl" }

modules_enabled = {
		"carbons";
		"cloud_notify";
		"mam";
		"seclabels";
		"smacks";
}

ssl = {
		certificate = "/etc/prosody/certs/quietlife.nl.crt";
		key = "/etc/prosody/certs/quietlife.nl.key";
		protocol = "tlsv1_2+";
		ciphers = "EECDH+AESGCM:EDH+AESGCM";
		dhparam = "/etc/ssl/dhparams.pem";
}

Component "conference.quietlife.nl" "muc"
Component "upload.quietlife.nl" "http_file_share"
http_file_share_size_limit = 100000000
</code>

Enable the configuration:

<code bash>
cd /etc/prosody/conf.d/
sudo ln -s ../conf.avail/quietlife.nl.cfg.lua .
</code>
\\

=== SSL certificate creation ===

Generate a certificate with ''certbot'' that contains your base hostname and subdomains **conference** and **upload**:

<code bash>
sudo certbot certonly -d quietlife.nl -d conference.quietlife.nl -d upload.quietlife.nl
</code>

If your base hostname is on a subdomain, use sub-subdomains:

<code bash>
sudo certbot certonly -d chat.quietlife.nl -d conference.chat.quietlife.nl -d upload.chat.quietlife.nl
</code>

If you already have a certificate for your base hostname, you can expand it to include these subdomains:

<code bash>
sudo certbot certonly --expand -d quietlife.nl -d conference.quietlife.nl -d upload.quietlife.nl
</code>
\\

=== DH parameters generation ===

If you don't have one already, generate ''dhparams.pem'' with ''openssl'':

<code bash>
cd /tmp/
openssl dhparam -out dhparams.pem 4096
sudo mv dhparams.pem /etc/ssl/
sudo chown root:ssl-cert /etc/ssl/dhparams.pem
sudo chmod 640 /etc/ssl/dhparams.pem
</code>
\\

=== SSL certificate import ===

Unlike Apache, nginx, Dovecot and Postfix, Prosody does not shortly run as root when started in order to read from ''/etc/letsencrypt/''. So certificates have to be copied to the ''/etc/prosody/certs/'' directory:

<code bash>
sudo prosodyctl --root cert import quietlife.nl /etc/letsencrypt/live
</code>
\\

=== SSL certificate renewal ===

If you use Let's Encrypt, you have to renew your certificates every three months. They also have to be re-imported by Prosody after every renewal. This can be automated with a script you put in ''/etc/letsencrypt/renewal-hooks/post/'':

<code bash /etc/letsencrypt/renewal-hooks/post/prosody.sh>
#!/bin/sh
prosodyctl --root cert import quietlife.nl /etc/letsencrypt/live
</code>

Make it executable:

<code bash>
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/prosody.sh
</code>
\\

=== Restart Prosody ===

<code bash>
sudo systemctl restart prosody.service
</code>
\\

==== Add users ====

<code bash>
sudo prosodyctl adduser user1@quietlife.nl
sudo prosodyctl adduser user2@quietlife.nl
...
</code>

----